 |
|
|
Fortinet’s FortiGate series of ASIC-accelerated multi-threat security systems are real-time network protection systems designed to detect and eliminate the most damaging, content-based threats from e-mail and Web traffic such as viruses, worms, intrusions, spam and inappropriate Web content. � A range of models are available covering all sizes of installation from SOHO to service providers. The FortiGate-3600 uses multiple CPUs and FortiASIC chips to deliver a maximum throughput of 4Gbps. Each FortiGate-3600 unit includes redundant power supplies to minimize single-point failures, and supports load-balanced operation and redundant failover with no interruption in service. FortiGate systems also support high availability (HA).� The FortiGate-3600 features four Gigabit fibre and two Gigabit copper ports. These provide granular security through multi-zone capabilities, allowing administrators to segment their network into zones and create policies between zones. � The FortiGate-3600 system is rated at up to 4Gbps for the firewall alone, but naturally this drops considerably as each of the security modules are enabled. Modules are included for Firewall, Anti Virus, Intrusion Detection and Prevention, Anti Spam, Web Filtering, VPN, Traffic Shaping and Spyware Blocking.� We found the FortiGate-3600 to be to be very stable and reliable, and throughput and latency were reasonable for a device of this type. � Out of the box, alert handling and reporting are extremely limited, and so we would recommend the use of Fortinet’s own or third-party management and reporting tools to get the most from this product.� The Fortinet appliance-based UTM offering consists of the following components: The FortiGate-3600 is a 2U rack mount appliance based on Fortinet’s FortiASIC Content Processor chip and multiple CPUs. The range of FortiGate appliances (various capacities to handle SOHO to enterprise/carrier environments) are intended to deliver complete, real-time network protection services at the network edge by incorporating the following services in a single device:�
The FortiGate-3600 includes one copper 10/100Mbps port, four Gigabit fibre ports, and two Gigabit copper ports. The 100Mbps port is generally used for management, whilst one of the fibre ports can be used for HA operation if required. � Note that - as with most firewalls - it is not necessary to configure the in-line ports in pairs. Multiple external ports can all feed traffic to a single internal port, and each port can be protected by a different security policy. This is a very flexible implementation, and multiple ports provide granular security through multi-zone capabilities, allowing administrators to segment their network into zones and create different policies between those zones.� Up to 50,000 security policies (firewall rules) and 256 schedules can be created, providing incredible flexibility for the administrator to tailor policies to individual networks, VLANS, ranges of IP addresses, and even individual hosts - and all varied by the time of day or day of the week. Note that it is impossible to apply a different IPS or AV policy to different networks - the same global security module configuration applies to every policy where that security module has been enabled. The level of granularity within policies is such that it is possible to enable/disable (and provide some high-level configuration for) each of the separate security services only (see list above for services which can be activated). � The High-Availability (HA) port allows two or more FortiGate-3600 appliances to be configured in stateful clusters for improved scalability and uptime. All Fortinet devices support both active-active and active-passive failover modes, and failover is fully stateful. When all devices in a cluster are operational, performance is enhanced via load-sharing. � For those environments where uptime is critical, we would recommend using an HA configuration since a single FortiGate appliance will fail closed, and no bypass mode is available. Each FortiGate-3600 unit includes dual redundant hot-swappable power supplies and fans to minimize single-point failures, and also supports load-balanced operation and redundant failover with no interruption in service. � All the ports are mounted on the front panel of the appliance, along with a useful LCD display with control buttons. This can be used for limited management and monitoring functions without the need to attach a separate screen and keyboard. � Virus and attack updates can be downloaded automatically via a schedule set on the device. The appliance can also be configured to accept a “push” packet from the central Fortinet update server, which will prompt it to override the schedule and contact the server for an immediate update.� Command and control of the device can be provided via a Web-based GUI, or via an extremely powerful Command Line Interface (CLI) accessed via a direct serial connection, Telnet or SSH. The CLI provides the means not only to perform simple management tasks, but also to perform more extensive global operations which are simply not available via the browser interface. For those who prefer the Cisco-like CLI, complete control of the device can be effected in this way.� HTTP and HTTPS access is provided to the FortiGate appliance in order to use the browser-based configuration and management utility. Web Manager provides an intuitive means to configure the majority of the parameters used to manage the FortiGate-3600. � A simple two-tier architecture is employed, and policies are stored directly on the appliance - there is no management server provided by default with the FortiGate appliances. This means that, out of the box, the Web GUI is intended to manage single devices, or small numbers of devices. Organisations with larger deployments need to consider purchasing the optional FortiManager product.� The FortiManager system is an integrated management and monitoring tool that enables enterprises and service providers to manage large numbers of FortiGate appliances. �
It minimises the administrative effort required to deploy, configure, monitor, and maintain the range of network protection services provided by FortiGate devices, simplifying the maintenance of security policies across multiple, dispersed FortiGate installations.� The robust, hardened FortiManager Server platform centralises configuration and monitoring of all FortiGate network protection functions, providing a central point for logging events and monitoring system status, traffic and threat activity. As with the FortiGate 3600, the 2U FortiManager appliance sports dual hot-swappable power supplies and fans. FortiManager helps ensure consistent definition and application of polices across the full line of FortiGate Antivirus Firewalls, and provides a central point for monitoring system status and logging traffic and threat activity. Deployed as a multi-tiered system, which includes the FortiManager Server appliance and the HTTP-based FortiManager Console, the FortiManager System scales to support multiple system administrators and hundreds of FortiGate units. Role-based administration capabilities make the FortiManager System suitable for large enterprises and for service providers offering managed security services. Different administrators can be restricted to specific management domains and specific functions. In addition, device grouping enables collections of FortiGate units to be aggregated into independent management domains to control administrative access and simplify policy deployment.� The FortiLog family of turnkey logging and reporting appliances and the FortiReporter Security Analyser software package are dedicated solutions that aggregate and analyse log data securely from multiple FortiGate appliances. � The systems provide network administrators with a comprehensive view of network usage and security information, supporting the needs of enterprises and service providers responsible for discovering and addressing vulnerabilities across dispersed FortiGate installations. They minimize the effort required to monitor and maintain acceptable use policies, to identify attack patterns and attackers, and to comply with governmental regulations regarding privacy and disclosure of security breaches. They accept and process a full range of log records provided by FortiGate devices, including traffic, event, virus, attack, content filtering, and email filtering data. � FortiLog The FortiLog family includes the FortiLog-100, 100A, 400, and 800 appliances which provide varying levels of storage and performance to meet a range of needs. Log records are transmitted from FortiGate units to FortiLog systems using encrypted VPN tunnels to ensure security. Capacities reach up to 360GB of log data and RAID levels (0, 1, and 5) can be selected to support desired trade-offs between capacity and data assurance. Built-in log analysis provides a central point for consistent analysis of network utilisation, Web activity and attack activity across multiple FortiGate systems.� FortiReporter FortiReporter Security Analyser is a cost-effective, browser-based, analysis, reporting and monitoring solution that generates reports across all FortiGate platform functionalities and provides IT administrators and security professionals with insight into network usage and attack activities. � FortiReporter Security Analyser is a software-only solution that provides comprehensive reports covering the full range of network and security activity, including virus and worm activity, bandwidth usage, network attacks, Web usage, and protocol usage. The FortiReporter system can collect and analyse data from all FortiGate models as well as from over 30 additional network and security devices from 3rd party vendors. � The aim of this section is to verify that the device is capable of operating under normal network conditions whilst effectively detecting and handling a range of virus infections, inappropriate content and spam traffic mixed with normal traffic. The firewall is officially rated at 4Gbps by Fortinet, though it was only tested to a maximum of 1Gbps in this test. With a capacity of almost 20,000 TCP connections per second, over 10,000 SMTP sessions per second, and an effective bandwidth of 1Gbps in our testing environment, the basic firewall would perform well in a Gigabit environment. Over 1 million concurrent TCP connections are supported.� Latency is in the region of 349-375�s with 512 byte packets, which is excellent for a device designed for the network perimeter.� As you would expect, performance is at its worst once all modules are enabled. However, it should be noted that the effects are not strictly cumulative - even though both Anti Virus and Anti Spam modules have significant performance impacts when enabled individually, for example (see detailed results in Appendix A), the overall effect of having both enabled is not significantly greater than each one individually.� With all modules enabled, maximum TCP connections per second were around 1525, and effective bandwidth was 200-225Mbps. Around 8300 concurrent TCP connections were supported and SMTP performance was around 644 SMTP sessions per second.� We consider this to be very good performance for a device of this type. Please refer to the Testing Methodology section for full details of the methodology used and detailed performance results of the individual security modules.� The aim of this section is to verify that the device is capable of effectively applying a firewall policy, as well as detecting live virus traffic, inappropriate URLs, inappropriate Web and mail content, and spam e-mail. All inappropriate/infected traffic should be handled properly according to the protocol and applied security policy (blocked, rejected, replaced, etc.).� The basic firewall was secure, with no obvious means of circumventing the applied policy.� IPS capabilities are good, demonstrating good coverage (100% of our basic exploit test cases were detected) and good resistance to common evasion techniques. The IPS module has been separately certified and received NSS Approved as a stand-alone 400MBps IPS device - currently the only UTM device to have achieved this.� URL category filtering was excellent, with 100% of our “bad” URLs being detected and no overblocking evident during our tests. Categorisation seemed to be reasonably accurate. All inappropriate Web and mail content was blocked successfully, as were all files with prohibited extensions.� All of the WildList virus samples in our test suite were detected and blocked successfully with accurate signatures, whilst all of the zoo virus samples were detected successfully using heuristic scanning (it is also possible to configure the device to block these heuristic scans via the command line, if required). � Both the detect & alert and the quarantine functions worked flawlessly - there is no disinfect capability. 92 per cent of the live spam samples in our test suite were detected and blocked successfully, mainly via detection of URL links within the messages. This is an excellent score. Both the detect & flag and the reject message functions worked flawlessly - there are no quarantine� or accept & discard message capabilities.� Please refer to the Testing Methodology section for full details of the methodology used and detailed performance results of the individual security modules.� This part of the test procedure consists of a subjective evaluation of the features and capabilities of the product, and covers installation, configuration, policy editing, alert handling, and reporting and analysis.� Installation of the FortiGate-3600 is very straightforward, and can be accomplished via a simple Wizard under the browser-based GUI, via the Command Line Interface (CLI), or via the front panel-mounted control buttons and LCD. The first decision to be made is which operating mode should be configured for the device: NAT/Route Mode or Transparent Mode.�
In Transparent Mode, the FortiGate-3600 is invisible to the network, behaving as a simple “bump in the wire”. All of its interfaces are on the same subnet, and only a management IP address needs to be configured to allow configuration changes. This is more suitable for use when the appliance is being deployed as an in-line IPS device than as a perimeter gateway, and it is nice to see this as an option.� A more typical deployment mode for a perimeter gateway/firewall device is NAT/Route Mode. Here, the FortiGate-3600 is visible to the network, since each of the internal and external interfaces are configured with valid IP addresses. The default policy provides access to the Internet for users on the internal network, while the FortiGate-3600 blocks all other traffic. More complex security policies can then be defined to configure antivirus protection, content filtering, Network Intrusion Prevention (NIPS), and Virtual Private Networks (VPNs).� Security policies control whether communications through the FortiGate-3600 operate in NAT mode or in route mode. In NAT mode, the FortiGate-3600 performs Network Address Translation before IP packets are sent to the destination network. In route mode, no translation takes place. By default, the unit has a single NAT mode policy that allows users on the internal network to securely access and download content from the Internet. No other traffic is possible until the administrator configures additional security policies. � There is an installation method to suit everyone - those who love GUIs, those who cannot manage without a Command Line Interface, and those who like pushing buttons on the front panel.� Web-based manager & Setup Wizard - The FortiGate Web-based manager Setup Wizard guides the administrator through the initial configuration steps. It is used to configure the administrator password, interface addresses, default gateway address, internal server addresses, and AV policy. Command Line Interface (CLI) - The CLI is a full-featured management tool accessed via a serial cable connected to the front panel serial port (or via SSH/Telnet once the device has been installed). It can be used to configure the administrator password, the interface addresses, the default gateway address, and the DNS server addresses, and the excellent Quick Start Guide provides enough information to allow the administrator to have the device up and running in this mode. Beyond that, the device can be managed entirely via the CLI if required, and those who are used to the Cisco CLI will feel at home on the FortiGate. For those not so well versed, there is an extensive CLI Reference Guide available. Control Buttons & LCD - The control buttons and LCD are located on the front panel of the FortiGate-3600. These can be used to configure the internal/external interface addresses, and the default gateway address. To configure the other interface and server addresses, the Web-based manager or the CLI are required. The front panel buttons thus provide the ideal way to provide initial connectivity to the FortiGate appliance without having to adjust IP addresses on your management console PC.� During configuration, it is possible to define the services which are available on each interface for management purposes. Thus, it is possible to enable or disable HTTP/HTTPS for the Web-based manager, or Telnet/SSH for the CLI.� A range of excellent documentation is available including the aforementioned Quick Start Guide and CLI Reference Guide, as well as a comprehensive FortiGate-3600 Installation Guide and Administration Guide. Separate manuals are also available for HA, FortiManager, FortiLog, VPN and IPS, and all documentation is provided as PDF files only. � Overall, the level of detail was generally fairly good, and we found coverage of all the main features to be reasonably comprehensive and very clear. Aside from the command line, the Web Manager is the main utility for managing and configuring the FortiGate-3600. This communicates directly with a single FortiGate appliance, and all configuration and policy information is stored on the appliance. For this reason it obviously has a very device-centric view - it is impossible, for example, to group multiple devices together and apply a single security policy to the group. � This clearly does not scale well for management of multiple devices, but for those sites with a single FortiGate (or small numbers) it is adequate. For sites with large numbers of Fortinet appliances (typically larger corporate customers with head office/multiple branch office scenario), the optional (extra cost) FortiManager product would be essential.
FortiManager provides a separate appliance-based management server and a HTTPS-based console, which enables centralised storage of policy and configuration information, logical grouping of multiple FortiGate appliances, centralised updating of firmware and signatures, and one-click deployment of security policies throughout the organisation. It also provides a centralised real-time monitoring capability which provides a simple overview of the status of all devices under its control, and the ability to view summary statistics for individual devices. There is no centralised alert-handling capability, however (FortiLog is required for that).� We found the Web Manager to be intuitive, and very straightforward to use. Multiple administrators can be created, each with a unique Access Profile that restricts read and write access to individual system modules, such as System Configuration, Log & Report, Security Policy, and so on. Each administrator can also be restricted to using a specific host or range of hosts from which they can access the FortiGate appliance. � This level of granularity is adequate for many environments, but we would like to see it extended to restricting access to the major security modules within the FortiGate appliance (available in next release). This would make it possible to restrict one administrator to AV configuration, one to IPS configuration, one to Web Content Filtering administration, and so on. More importantly - especially in a managed services environment or a large corporate deployment where separate administrators are responsible for individual subnets - we would like to see the ability to control access to individual security policies, and individual subnets or port pairs.�
Once logged in, the administrator is presented with a column of tabs down the left side of the screen covering the major components of the device:�
The System Status screen provides useful summary information on the current state of the appliance, including up-time, disk capacity, CPU usage, memory usage, active sessions, network utilisation, recent virus detections and recent attacks. � A useful Content Summary section displays a summary of the number of URLs visited, e-mails sent and FTP files uploaded/downloaded, and clicking the hyperlink for each of these displays the 64 most recent transactions in more detail.�
Also provided on the System Status screen are the current firmware version, AV definitions and attack definitions, along with the means to update them via a file on the local system. They can also be updated automatically via the FortiProtect Distribution Network, and the appliance can be configured to check automatically at scheduled intervals, or accept “push updates”. � With the latter, the FortiProtect server sends a push packet to cause the appliance to connect and request an immediate update - thus although the initial “push” comes from the FortiProtect server, it is still the FortiGate appliance which actually establishes the secure outbound connection.� The Backup & Restore option provides the means for the administrator to backup and restore key configuration files, such as black list, white lists, address lists, certificates and the entire system configuration. This also provides the means to transfer overall “policy” configuration from one device to another when the FortiManager product is not used to manage centrally. Although the term “policy” does exist in FortiGate terminology, it does not, as you might expect, apply to the overall collection of configuration parameters which can be saved and deployed to an appliance. � When using the Web Manager, the “policy” which controls the device to which the Web Manager is attached (bear in mind it can only access one device at a time) is stored on the FortiGate appliance itself, and is generally referred to as the “system configuration”. Therefore, the only way to save one particular “policy” for recall at a later date is to backup the entire system configuration, and restore it as required (this forces a system reboot, however, during which the device - and thus the networks behind it - are unavailable).��
In general, we found the FortiGate configuration to be very straightforward. Many complex configuration options are hidden from the user (either hard-wired or available only via the CLI), keeping configuration complexity to a minimum using just a series of check boxes and radio buttons.� Firewall What Fortinet refers to as Firewall Policies, most people would call “rules”. The first task an administrator needs to perform is to create Firewall Policies between the Internal and External ports, allowing traffic to pass through the device - or be denied by the device - as required. � The simplest (default) policy set would be to allow all outbound traffic, and deny all inbound traffic (other than that which is part of an established session). Policy rules can specify source and destination interface and/or IP address, a schedule (rules can be applied at certain times of the day or days of the week if required), a service (HTTP, FTP, etc.) and an action (accept, deny or encrypt). Each policy can be individually configured to route connections or apply Network Address Translation (NAT) to translate source and destination IP addresses and ports. The administrator can add IP pools to use dynamic NAT when the firewall translates source addresses, and policies can be used to configure Port Address Translation (PAT) through the FortiGate. � It is also possible to enforce traffic shaping on a per-policy basis - guaranteeing a minimum bandwidth or priority, or restricting traffic to a maximum bandwidth - and to enable traffic logging for a firewall policy so that the FortiGate unit logs all connections that use that policy. Fortinet claims a maximum of 50,000 policies can be supported by the FortiGate-3600, and 256 schedules.�
Access to network resources can be controlled by defining lists of authorised users, called user groups. To use a particular resource, such as a network or a VPN tunnel, the user must belong to one of the user groups that is allowed access, and must correctly enter a user name and password to prove his or her identity at the point of access. The FortiGate unit can verify the user’s credentials locally or using an external LDAP or RADIUS server. � Once firewall policies (rules) have been created, the administrator creates one or more Protection Profiles in order to determine which of the security services are active, which are disabled, and how each active module is configured. These can be applied on a per-policy basis, allowing the administrator to: �
Within the firewall configuration, we are simply defining which of the protection modules are to be applied to which traffic streams on which physical/logical interfaces. This is very flexible, since it means that a particular policy can be defined for traffic destined for a certain subnet, to which we only want to apply AV scanning and nothing else. Another policy for another set of traffic may enforce AV scanning and Anti Spam filtering - and so on. Once those have been applied, the main tabs along the left side of the screen described earlier are used to configure those protection modules in detail.�
FortiGate also supports the concept of Zones, which are virtual groupings of ports and/or VLAN sub-interfaces designed to simplify firewall policy creation. For example, it is possible to group together three ports into a single logical zone - this would mean that only a single firewall rule would be needed to control traffic for that zone, instead of one for each interface.� Security Profiles define which security services are enabled and which features are applied - i.e. file blocking for AV, protocols subjected to AV scanning, and so on. Separate configuration screens are also available for each service allowing global features to be configured - these are applied across all security profiles which have that particular service enabled. So, for example, “bad words” need be defined only once in the AV global configuration, and within each security profile it is then only necessary to specify that you want content to be scanned for bad words and subsequently blocked.� This works well for services such as AV, Anti Spam and Content Filtering, where bad content needs to be defined only once. However, it is more restrictive for IPS. � The signatures and their actions are enabled globally, and thus cannot be changed on a per-profile basis. Since profiles can be applied on a per-port basis, this means that it is not possible to disable groups of signatures in individual profiles. This prevents the administrator from disabling HTTP signatures on a DMZ which only contains FTP servers. VPN A VPN connection is initiated when traffic is accepted by a firewall policy where the action is set to encrypt. Both remote client and site-to-site VPNs are supported. FortiGate units support the following protocols to authenticate and encrypt traffic: �
The following symmetric-key algorithms can be used for IPSEC Phase 1 negotiation (pre-shared keys or RSA signatures can be used): �
Either of the following message digests can be used to check the authenticity of messages during phase 1 negotiations: �
For phase 2 negotiations, the same symmetric key algorithms and message digests can be used if required, or none at all. The use of manual keys is supported where prior knowledge of the encryption and/or authentication key is required (that is, one of the VPN peers requires a specific IPSec encryption and/or authentication key), or where encryption and authentication needs to be disabled. � The FortiGate-3600 can act as a VPN concentrator. In a hub-and-spoke configuration, connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, VPN tunnels between any two of the remote peers can be established through the FortiGate unit “hub”. � In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub. � A ping generator is available to generate traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside the tunnel (useful in dial-up or dynamic DNS situations), and the monitor can be used to view activity on IPSec VPN tunnels and start or stop those� tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels. � IPS Activating the IPS section of the policy is simply a matter of checking the IPS Signature and IPS Anomaly boxes in the Protection Profile. As mentioned previously, the detailed IPS configuration (i.e. which signatures are enabled/disabled, whether the action is to block or pass traffic, whether alerts should be logged or not, etc.) is performed via the global IPS configuration screen, and it is thus only possible to globally enable or disable all signatures and/or all anomalies at the Firewall Policy level. � It would be much more flexible and powerful if it were possible to create multiple separate IPS policies and assign those to separate Firewall Policies. That would provide a “virtual IPS” capability, with different protection policies applied to different address ranges, hosts, physical ports, logical port groups or VLANs. Maybe in a future release?�
The default IPS configuration out of the box implements recommended settings for all of the signatures and anomalies. Those for which there is little chance of raising false positive alerts are set to “block” traffic, the rest are set to “alert” only. Most are set to create log events when an alert is raised, although some of the “noisier” flood-related signatures are set to drop traffic silently, with no logging.� Configuring the IPS settings in detail is accomplished via two tabs - Anomalies and Signatures. Whereas the Anomalies consist mainly of bad traffic (fragmented packet attacks, Ping of Death, and so on) and rate-based exploits (SYN Floods, UDP Floods, etc), the Signatures consist of application-level exploits - there are over 1300 in total in the current signature pack. � They are grouped together to identify their target (backdoors, Apache, Finger, FTP, IIS, and so on), and each group can be expanded to display the signatures within. It is easy to see which are enabled via the bright green tick marks against each one, and the same icon is used to highlight those with logging enabled. Also against each signature is its revision number, and the current action (pass, drop, reset, etc.). Changing any of the default signature settings causes a green button to appear alongside the changed signature on-screen. Clicking on this button causes all of the settings to revert to the recommended settings originally applied by default - a nice touch.� In spite of the signature groupings, it is extremely difficult to locate specific signatures for maintenance operations, and a search facility would be useful. Nor is it possible via the GUI to make mass changes to groups of signatures. More flexibility is required here (mass changes via the GUI will be available in the next release).� It is possible to create custom signatures and apply them via the GUI. Each signature, however, must be created and entered longhand into the GUI, crafted from a complex (at least for lay-users) Snort-like signature language. As with most IPS/IDS products, custom signature creation is not for the fainthearted, but at least it is catered for with the FortiGate.� Content Filtering Note that two of the features that we consider part of the Content Filtering modules are actually handled by other modules in the FortiGate - file blocking for all services is handled by the AV module, whilst scanning e-mails for inappropriate content (bad words) is handled by the Anti Spam module.��
Web filtering includes various modules and engines that perform separate tasks. The FortiGate unit performs Web filtering in the order the filters appear in the Web-based manager menu: content block, URL block, URL exempt, category block (FortiGuard), and script filter. � FortiGuard Web Filtering is a managed service provided by Fortinet. Fortinet sorts Web pages (over 2 billion to date, and 27 million domains) into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Service Point to determine the category of a requested Web page and then follows the firewall policy configured for that user or interface. Note that it is possible to configure an internal FortiGuard server which is based on the local FortiManager appliance - this is how testing was performed in order to provide the most consistent performance level.� FortiGuard includes over 60 million individual ratings of Web sites applying to hundreds of millions of pages. Pages are rated into 56 categories that users can allow, block, or monitor. Categories may be added to or updated as the Internet evolves. Users can also choose to allow, block, or monitor entire groups of categories to make configuration simpler. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. � FortiGuard ratings are performed by a combination of proprietary methods including text analysis, exploitation of the Web structure, and human input. Users can notify the FortiGuard Service Points if they feel a Web page is not categorised correctly.� The following configuration options are available:�
Anti Virus Anti Virus processing includes various modules and engines that perform separate tasks. The FortiGate unit performs AV processing in the order the features appear in the Web-based manager menu: file block, virus scan, and grayware, followed by heuristics. Heuristic scanning provides the means to scan for virus-like characteristics without relying on signatures, and this is configurable only through the CLI. During testing, this feature proved to be remarkably reliable in detecting zoo viruses which were not included in the WildList signatures.�
FortiGuard Antivirus, FortiGuard IPS and FortiGuard Antispam services include automatic updates of virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiGuard Distribution Network (FDN). The FortiGuard Centre also provides the FortiGuard virus and attack encyclopaedia and the FortiGuard Bulletin. � The FortiGate unit blocks infected files or files that match a configured file block pattern and displays a replacement message instead. The FortiGate unit also writes a message to the virus log and sends an alert e-mail if configured to do so.� The following configuration options are available:�
When the quarantine feature has been enabled, the quarantined files list displays information about each file that is held because of virus infection or file blocking. The files can be sorted by any one of file name, date, service, status, duplicate count (DC), or time to live (TTL), and it is also possible to filter the list to view only quarantined files with a specific status or from a specific service. � A number of CLI commands are available to configure AV operation, including the ability to optimise for normal traffic processing or AV scanning, block “suspicious” files triggered by the heuristic scanner, and so on.� Anti Spam The spam filter can be configured to manage unsolicited commercial e-mail by detecting spam e-mail messages and identifying spam transmissions from known or suspected spam servers.� Fortinet’s FortiGuard Antispam service includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of e-mail servers known to be used to generate Spam. The URL black list contains URLs of Web sites found in Spam e-mail. � As with Web category filtering, this can be provided as a managed service or configured to use an internal FortiManager server. Note that for testing purposes, only the FortiGuard options, MIME header check and banned word check were enabled, since none of these rely on external servers (thus providing a more consistent performance during testing).� Generally, inbound e-mail is passed through the spam filters in the order the filters appear in the spam filtering options list in a firewall protection profile: IP address FortiGuard, URL FortiGuard, IP address BWL, DNSBL & ORDBL, HELO DNS lookup, e-mail address BWL, return e-mail DNS check, MIME header, and banned word (content block). There is no lexical analysis performed (FortiGate produces a separate e-mail security gateway appliance which offers more advanced security options such as lexical analysis).� On the first pass, if IP address FortiGuard check is selected in the protection profile, the SMTP mail server source address is extracted and sent to an external FortiGuard server to see if it matches the list of known spammers. If URL FortiGuard check is selected in the protection profile, the body of each e-mail message is checked to extract any URL links. These URL links will be sent to an external FortiGuard server to see if any of them is listed. �
If an IP address or URL match is found, FortiGate terminates the session. If FortiGuard does not find a match, the mail server sends the e-mail to the recipient. As each e-mail is received, FortiGuard performs the second anti spam pass by checking the header, subject, and body of the e-mail for common spam content. If FortiGuard finds spam content, the e-mail is tagged or dropped according to the configuration in the firewall protection profile. � Each filter passes the e-mail to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit will tag (POP3, IMAP or SMTP) or discard (SMTP only) the e-mail according to the settings in the protection profile. If the action in the filter is Mark as Clear, the e-mail is exempt from any remaining filters. If the action in the filter is Mark as Reject, the e-mail session is dropped. Rejected SMTP e-mail messages are substituted with a configurable replacement message. � The order of spam filter operations may vary between SMTP and IMAP or POP3 traffic because some filters only apply to SMTP traffic (IP address and HELO DNS lookup). Also, filters that require a query to a server and a reply (FortiShield and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action will take effect as soon as the reply is received. The following configuration options are available:�
Note that per-user White and Black Lists are not supported.� The FortiGate device can be configured to log network activity from routine configuration changes and traffic sessions to emergency events. It is also possible to configure the FortiGate to send alert e-mail messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.� The administrator can configure the logs that he wants to record and the message categories that he requires in each log via the Log Filter tab. Logging can be enabled or disabled for each of the individual security modules. It is possible to record logs to one or more of: �
Unfortunately, separate log files are created for each of the security modules, making it difficult to keep an eye on what is happening on the device as a whole (when, for example, an exploit detected by the IPS is followed up with a worm outbreak detected by the AV scanner). However, this is mitigated somewhat by the System Status screen which provides an excellent summary of all recent activity on the device.�
Log entries can be displayed via the GUI, each entry containing the date and time, attack ID, source and destination IP address, source and destination port, source and destination interface, protocol, alert level, host name, URL and alert description (the columns vary depending on the type of alert).� The data can either be presented in its raw “syslog” format or in a more easily readable spreadsheet format. Unfortunately, there is no way to sort on different data columns or to select data for further drill-down operations (i.e. to select a particular source IP address and show all alerts from that address only). There is a basic search facility that allows a search on specific keywords from the raw data (multiple keywords and a start/end date/time can be specified), and this would allow the administrator to search for specific IP addresses (though without the ability to discriminate between source or destination addresses) or for a specific virus name, and so on. For more advanced alert handling, however, third party tools or the optional Fortinet reporting tools are a must.� Duplicate log events raised within a given time-frame are aggregated and reported as a single event (which includes a count of the total number of events raised) to reduce clutter in the logs. A simple text and pie chart format report on Web category filtering only can be generated for any profile. The FortiGate unit maintains statistics for allowed, blocked and monitored Web pages for each category. The report can be generated for a range of hours or days, or a complete report of all activity can be viewed.�
There are no other reporting or analysis tools built into the base product. Optional logging, reporting and analysis products are available at extra cost in the form of FortiLog and FortiReporter.� Performance The firewall is officially rated at 4Gbps by Fortinet, though it was only tested to a maximum of 1Gbps in this test. With a capacity of almost 20,000 TCP connections per second, over 10,000 SMTP sessions per second, and an effective bandwidth of 1Gbps in our testing environment, the basic firewall would perform well in a Gigabit environment. Latency is in the region of 349-375�s with 512 byte packets, which is excellent for a device designed for the network perimeter.� As you would expect, performance is at its worst once all modules are enabled. However, it should be noted that the effects are not strictly cumulative. Even though both Anti Virus and Anti Spam modules have significant performance impacts when enabled individually, for example (see detailed results in Appendix A), the overall effect of having both enabled is not significantly greater than each one individually.� We consider overall performance to be very good for a device of this type, and the price/performance ratio is excellent.� Security Effectiveness The basic firewall was straightforward to configure, and although things can be kept as simple as required, the ability to apply a different security profile to each firewall policy (rule) makes this an extremely flexible and powerful product. � For example, certain traffic between specific subnets can be inspected for spam and viruses, whilst traffic for another subnet can have AV applied only. At present, the one shortcoming is the inability to configure an IPS security profile at the individual policy level. IPS settings are global, meaning that it is not possible to omit IIS Web signatures for your Apache servers, and omit all Web signatures for your FTP servers. IPS capabilities are good, demonstrating good coverage and good resistance to common evasion techniques. The IPS module has been separately certified and received NSS Approved as a stand-alone 400MBps IPS device - currently the only UTM device to have achieved this.� URL category filtering was excellent, with 100% of our “bad” URLs being detected and no overblocking evident during our tests. Categorisation seemed to be reasonably accurate. � Virus scanning was excellent. All of the WildList virus samples in our test suite were detected and blocked successfully with accurate signatures, whilst all of the zoo virus samples were detected successfully using heuristic scanning.� Spam filtering was excellent, with a wide range of options available (although it would be nice to see some form of lexical analysis added to the armoury). Despite the fact that during our test the device was relying totally on scanning for spam-related URLs within the test corpus, 92 per cent of the live spam samples in our test suite were detected and blocked successfully.� Usability The Web Manager included out of the box is an intuitive, straightforward browser-based GUI which provides a good tool for configuring, managing and monitoring a single device (or small number of devices). � The absence of Java makes this Web-based interface very slick and fast, and means FortiGate can be managed from any PC with a browser without worrying about which version of the Java Run-time Environment is installed. From a usability point of view, Fortinet has done an excellent job of making all of the various security modules configurable via a single interface in a straightforward and intuitive way. Most of the complexity is hidden beneath the surface (either hard-wired or configurable only via the command line) leaving the administrator with a number of simple check boxes and radio buttons to keep life as simple as possible. The downside to this simplicity is that all settings such as quarantine, white lists, black lists, and so on are all global rather than per-user. However, for most of the target market for these types of devices this will not be an issue for now.� We found that with only occasional reference to the excellent on-line help, and no recourse to the extensive user guides at all, we were able to install, configure and manage the entire system with no problems - that is more than can be said of many of the products which visit our labs.� And whilst it may not be for everyone, the provision of a familiar and very comprehensive Command Line Interface allowed us to complete any tasks not possible via the GUI.� One area in which the product is lacking out of the box is alert handling and reporting. Alert handling is very basic, and reporting is virtually non-existent. For those customers wishing to deploy multiple appliances or with more advanced reporting and analysis requirements, Fortinet’s alternative management and reporting offerings should be investigated. � We found FortiManager to be a much more scalable solution when it comes to managing and monitoring multiple devices across an enterprise, providing the means to define policies centrally and distribute them to groups of devices at the click of a button.� Company
name: Fortinet, Inc Click here to return to the UTM Index Section |
Security Testing |
Send mail to webmaster
with questions or�
|
